He may have to wait a little longer. Keen to patch any security holes, Microsoft recently announced that the consumer version of Windows Vista won’t be available until January — too late for the crucial holiday selling season. PC makers, already smarting from exploding laptops and imploding margins, are no doubt thrilled by the news.
John Edwards writes frequently about technology.
The Password Is: “Annoying”
When it comes to computer passwords, employees aren’t the cleverest bunch. Most network administrators will gladly regale you with lists of actual passwords chosen by actual employees that don’t exactly qualify as brain-benders. Indeed, hackers who can’t crack Snoopy or Soxrule generally end up in another line of work.
Of course, you can’t blame employees for trying to keep their passwords simple. With IT managers struggling to keep interlopers out, many businesses now require workers to change their sign-ons every three months or so. And often, different passwords must be created for a number of tasks, including logging on to a network, retrieving E-mail, and accessing departmental databases. A new password doesn’t always work straightaway with the offline version of a program, either, so the user must remember both the new and the 5 to 10 IDs and passwords — or more if the employee visits external job-related sites.
And these days, words alone won’t cut it. Network administrators typically insist that sign-ons include numbers, typographic characters, past rulers of Sweden — anything to confound hackers. Forced to hold a cavalcade of unfamiliar passwords in their heads, employees tend to forget their sign-ons. According to Jonathan Penn, a principal analyst (Identity & Security) at IT consultancy Forrester Research, the average worker now makes four calls a year to a company help desk for password resets.
This gets expensive. A recent survey found that a single request for password help costs employers anywhere from $8 to $15. That means a company with 20,000 workers can end up shelling out almost $1 million each year helping users log on. Says Richard Weigand, IT program manager at the United States Postal Service (USPS): “It’s clearly a universal problem.”
What’s My Line?
He should know. A few years back, managing employee passwords had become a real headache for USPS. Weigand says some of the federal agency’s 150,000 users had nearly a dozen sign-ons. The situation had gotten so bad, in fact, that the help desk was receiving up to 30,000 password-related calls a month. “It was expensive for us,” acknowledges Weigand. “And our user community was unhappy.”
After examining the situation, USPS turned to single-sign-on software to solve the problem. Such programs, marketed by vendors like Unisys, CA, Novell, RSA, and Passlogix, enable employees to maintain one password for access to all approved applications, regardless of platform. Weigand says USPS was able to deploy the software (v-Go from Passlogix) without having to modify any existing code. As a backup, the agency also built a Web-based self-help system where users can reset passwords.
The result? The internal help desk at USPS now fields 5,000 to 7,000 password-related calls each month — a decrease of nearly 80 percent. More impressive: the agency has recorded this dramatic dropoff despite a doubling of its user population. Although Weigand won’t give exact figures, he says the sign-on software and self-help system have saved the agency millions of dollars.
Small businesses can benefit from sign-on software, too. At Dionco Inc., a retail-consultancy in Chicago, president James Dion says he was tired of having to fill out virtual forms and remember passwords. It’s understandable; Dion, who does a lot of online purchasing, carries 600 user names and sign-ons. “This is one of the biggest headaches for anyone who visits lots of sites that require password information.”
To ease the pain, Dion purchased a Web-based program called RoboForm (from Siber Systems). The application automatically fills out blank entry lines and protects IDs and passwords. To get into a site, a user can either enter the specific password for that home page or enter a master password from RoboForm. The software then types the login. The program also automatically fills in Web forms. Equally important: RoboForm does all this without using keystrokes, thus frustrating key loggers.
Expect to see more companies signing up for single-sign-on software. There’s certainly no shortage of applications to choose from. And Microsoft will flex some muscle when it launches Windows Live ID next year. The authentication software — essentially a revamped version of the much-maligned Passport program — will be part of the Windows Live suite of Web services. “Passwords aren’t going to go away,” says Forrester’s Penn. “But once we hide everything from [users] and automate their use in applications, IT will gain a great deal of control over password management.”
Esther Shein covers business technology from Framingham, Massachusetts.